Task 1 Introduction to Meterpreter
Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture. You will interact with the target operating system and files and use Meterpreter’s specialized commands.
Meterpreter also aims to avoid being detected by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) solutions by using encrypted communication with the server where Metasploit runs (typically your attacking machine). If the target organization does not decrypt and inspect encrypted traffic (e.g. HTTPS) coming to and going out of the local network, IPS and IDS solutions will not be able to detect its activities.
While Meterpreter is recognized by major antivirus software, this feature provides some degree of stealth.
Task 2 Meterpreter Flavors
Use # msfvenom — list payloads | grep meterpreter
to have an idea about available Meterpreter versions could be to list them using msfvenom
Your decision on which version of Meterpreter to use will be mostly based on three factors;
- The target operating system (Is the target operating system Linux or Windows? Is it a Mac device? Is it an Android phone? etc.)
- Components available on the target system (Is Python installed? Is this a PHP website? etc.)
- Network connection types you can have with the target system (Do they allow raw TCP connections? Can you only have an HTTPS reverse connection? Are IPv6 addresses not as closely monitored as IPv4 addresses? etc.)
You will notice some exploits will have a default Meterpreter payload, as you can see in the example below with the ms17_010_eternalblue exploit.
You can also list other available payloads using the show payloads command with any module.
Task 3 Meterpreter Commands
Typing help on any Meterpreter session (shown by meterpreter> at the prompt) will list all available commands.
If you run the help command, you will see Meterpreter commands are listed under different categories:
- Core commands
- File system commands
- Networking commands
- System commands
- User interface commands
- Webcam commands
- Audio output commands
- Elevate commands
- Password database commands
- Timestomp commands
Task 4 Post-Exploitation with Meterpreter
PS:
The ps command will list running processes. The PID column will also give you the PID information you will need to migrate Meterpreter to another process.
Migrate:
Migrating to another process will help Meterpreter interact with it.
To migrate to any process, you need to type the migrate command followed by the PID of the desired target process. The example below shows Meterpreter migrating to process ID 716.
Search
The search command is useful to locate files with potentially juicy information.
Shell
The shell command will launch a regular command-line shell on the target system. Pressing CTRL+Z will help you go back to the Meterpreter shell.
Task 5 Post-Exploitation Challenge
The questions below will help you have a better understanding of how Meterpreter can be used in post-exploitation.
You can use the credentials below to simulate an initial compromise over SMB (Server Message Block) (using exploit/windows/smb/psexec)
Username: ballen
Password: Password1
What is the computer's name?
Use exploit/windows/smb/psexec module as the task requires.
List the parameter of the psexec module: show options
As I ma using my Kali box LHOST needs to be configured to the remote IP add.
modify the options and run:
We now enter the Meterprester mode and listen on the target machine.
Run the command sysinfo:
ACME-TEST
What is the target domain?
Use post/windows/gather/enum_domain module. Background Meterpreter first by entering crtl+Z.
List the option for the enum_domain module:
SESSION option is required. To require the session id enter command: session -i
Enter the session id of the Meterpreter and run the module:
FLASH
What is the name of the share likely created by the user?
Run the exploit/windows/smb/psexec again, background the session and list the session id:
Search for enum_shares and use the result: use 0
List options and set the correct session id
Run the module and the answer is listed below:
speedster
What is the NTLM hash of the jchambers user?
Back to the Meterspreter: session -i [session id]
List the running process: ps
according to the hint you have to migrate to lsass.exe
Run the command hashdump:
69596c7aa1e8daee17f8e78870e25a5c
What is the cleartext password of the jchambers user?
Use any online hash cracker to crack the hash.
Where is the “secrets.txt” file located?
Use the command:
search -f [file_name]
What is the Twitter password revealed in the “secrets.txt” file?
Print the file:
Where is the “realsecret.txt” file located?
What is the real secret?
Method 1: print the file in the terminal
Method 2: since the file is located in the /wwwroot directory we can find it in the local web server:
